Hitting Peak Prevention

These are my slides from AppSec Cali 2017, where I delivered a conceptual talk called Peak Prevention. It was a crap presentation/delivery, but the idea is pretty solid I think.

In retrospect, that’s not the conference for this type of talk. I knew that already, but when it comes time to submit I tend to just submit whatever’s on my mind at the time. I need to get better at matching content to conference, since I like to both technical stuff and idea stuff.

I’ve been thinking about this idea of Peak Prevention for many years, and the concept is quite simple:

Risks is made up of probability and impact, and we have hit a point of diminishing return with preventing bad things from happening. If we want to significantly reduce risk at this point we need to lower the other side of the equation (impact), which equates to resilience. In short, the future of risk reduction in an open society in many, many cases will come from resilience, not from prevention.

It really should have been a 15 minute talk, which has an associated essay. That’s the direction I’m started to head for these types of things. Crisp, concise concepts—delivered in a way that doesn’t waste anyone’s time. Instant value, instant takeaways.

Anyway, those are the slides. It’s not very textual so you’ll have to sort of imagine the flow, but I’ll do a standalone essay on the topic soon.